"Iso 27001 Presentation for Employees - PowerPoint"
ISO 27001 compliance as prima facie evidence of good faith action Spring 2010 - IPOL Mark Thompson-Kolar MSI 2011 Tailored/HCI 1 The Breach Problem Records with sensitive personal information (PII) in security breaches in U.S. since 2005 > 346 million (not all reported!) U.S. population: 307 million. More than 1 breach per resident. PII - identifiable data, usually includes social security number, credit card nos., with names, addresses. ... biometric. 2 Sources: Privacy rights Clearinghouse, March 13, 2010 & U.S. Census Bureau estimate, July 2009 Breaches Not Going Away Breaches will keep happening. “You cannot anticipate every internal and external threat, nor can you predict when an employee will prove dishonest or capable of a major mistake. No security system is bulletproof. ... The question is not 'if' your data will be Image from Datarati: comprised, it is 'when.' ” Actionable Insights 3 Source: Tedder, K. January 2010. A First Data White Paper: Don't Wait for a Data Compromise. U.S. Info Security Regulatory Framework • Regulations • Information • HIPAA / HITECH covered • Sarbanes-Oxley • Health records • Corporate financial • FCRA/FACTA • Consumers' credit • Gramm-Leach-Bliley • Personal financial • FTC Act 5 • Deceptive practices 4 Breach Examples: ChoicePoint ChoicePoint, a large data broker based in Atlanta, Ga. 800-plus cases of identity theft resulting from theft of data. Violations alleged - Fair Credit Reporting Act and FTC Act 5. 2006 settles FTC breach charges: $10 million in civil penalties 5 $5 million for consumer redress Source: FTC news release Breach Examples: TJX The TJX Cos. Inc, major discount retailer 455,000 consumers' PII taken in 2005-06. FTC alleged TJX failed to use reasonable and appropriate security measures to prevent unauthorized access to PII. Banks claimed tens of millions of dollars in fraudulent charges made on the cards. Company had passed a checklist-style audit under Payment Card Industry Data 6 Security Standards. Source: FTC news release Breach Examples: Dave & Buster's March 25, 2010 Dave & Buster’s, Inc. restaurants FTC charges company left consumers’ credit and debit card information vulnerable to hackers - 130,000 cards. Failed to take reasonable steps to secure this sensitive PII on its network. Several hundred thousand dollars in fraudulent charges. 7 Source: FTC news release Security in Settlements ChoicePoint required by FTC to: Establish and maintain a comprehensive information security program. Company must obtain audits by an independent, third-party security professional every other year for 20 years. 8 Source: FTC news release Security in Settlements TJX required by FTC to: “...Establish and maintain a comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from or about consumers. “Security program must “contain administrative, technical, and physical safeguards appropriate to each company’s size, the nature of its activities, and the sensitivity of the personal information it collects.” 9 Source: FTC news release Security in Settlements Dave & Buster's required by FTC to: Put in place a comprehensive information security program. Establish and maintain a program designed to protect the security, confidentiality, and integrity of customers' PII. Requires company to obtain independent, professional audits, every other year for 10 years. 10 Source: FTC news release Seeing a Trend Recent Dave & Buster's settlement is FTC’s 27th case challenging faulty data security practices by organizations that handle sensitive consumer information. Settlements fairly consistent in what breached companies must do. Primary point: improve processes by establishing a comprehensive information security program. 11 Consideration for Good Actors Data breaches of PII will continue. Settlements require improvement processes, not checklists. How to get companies to do well-regarded improvement processes sooner, not later? Reward for “doing right thing”: – Consistent, up-front “prima facie” consideration of such steps as evidence of good faith action if breach 12 occurred. ISO 27001 Suggestion Need a very highly regarded data security standard. ISO 27001 would be superb choice. There are others, outside scope of this presentation [one other that might make sense]: CObiT - Control Objectives for Information and related Technology, a set of best practices for IT management. 13 Source: Solutionary About ISO 27001 (& Family) Collection of interrelated data security standards. Developed by Switzerland-based NGO (International Organization for Standardization). ISO is global network that identifies what International Standards are required by business, government and society, develops them in partnership with the sectors that will put them to use ... 14 Source: International Organization for Standardization ISO 27001 Overview 27001 respected as a comprehensive framework. Aka (ISMS): “Information Security Management Systems”. Establishes risk management processes: Some data more vital to protect. Must examine what information you have. Encourages continual improvement to business practices - very important as security vulnerability environment never stops changing. 15 Source: International Organization for Standardization ISO 27001 Certifications March 2010 The total worldwide companies that had achieved ISO 27001 certification was 6,385. In U.S., just 95 of them were located in the U.S. 16 Sources: International Register of ISMS Certificates, National Geophysical Data Center ISO 27001 Strengths Utilizes Plan-Do-Check-Act methodology: PLAN. Clause 4 expects firm to plan the establishment of organization’s ISMS. DO. Clause 5 expects firm to implement, operate, and maintain its ISMS. CHECK. Clauses 6 and 7 expect firm to monitor, measure, audit, & review ISMS. ACT. Clause 8 expects company to take corrective and preventive actions, and continually improve the ISMS. 17 Source: JBW Group International Additional ISO 27001 Strengths More on Plan-Do-Check-Act methodology: Works with variety of regulations and kinds of information. Company must know all relevant legal, regulatory, industry standards and contractual requirements that affect the business's use of information assets. Outlines 11 control areas, 39 control objectives and 133 specific controls. NOT a “checklist” standard. Process driven. 18 IS risk-assessment driven standard. Source: JBW Group International ISO 27001 & Risk Assessment “When organizations implement ISO 27001, not only do they safeguard assets through best practice controls, they empower their organization with a risk- assessment methodology that assures the proper treatment of all risks ... (this) allows an organization to be ever responsive to new risks and to address each risk in a manner most suitable to their organization at the time.” 19 Source: Barry L. Kouns, security consultant and principal with SQM-Advisors consultants ISO 27001 & Due Diligence Due diligence - corporate officers operate in line with accepted business practices and follow all relevant laws and other regulatory requirements ISO 27001's guidelines, evaluation criteria, reference standards help companies practice DD “Developers should be prepared to show they have used security processes at least as thorough and demanding as those of equivalent ISO 27001 rated systems. This will establish due diligence ...” 20 Source: Edward H. Freeman, data security consultant ISO 27001 & Regulatory Enforcement Looking back at the regulatory settlements ... “Trends in enforcement actions, and what they impose in the way of security program requirements look a lot like clauses 4-8 of ISO 27001” 21 Source: Patrick Sullivan, JBW Group International TJX Settlement | ISO 27001 Settlement: Establish and maintain a comprehensive security program ... contain administrative, technical, and physical safeguards appropriate to each company’s size, the nature of its activities, and the sensitivity of PII it collects. ISO 27001 - Clause 4: “Define an ISMS policy in terms of the characteristics of the business, the organization, its location, assets and technology that ... takes business and legal or regulatory requirements as well as contractual security obligations into account ... aligns with the organization’s strategic risk management context. 22 Sources: FTC, CQR Payments TJX Settlement | ISO 27001 Settlement: Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place. 27001 - Clause 4: Identify, analyze and evaluate the risks; select control objectives and control for the treatment of risks. 23 Sources: FTC, CQR Payments TJX Settlement | ISO 27001 Settlement: Evaluate and adjust information security programs to reflect results of monitoring. 27001 - Clause 4: Conduct internal ISMS audits at planned intervals and update security plans to take into account the findings of monitoring and reviewing activities. 24 Sources: FTC, CQR Payments TJX Settlement | ISO 27001 Settlement: Designate an employee or employees to coordinate information security program. 27001 - Clause 5: Explicitly states the management responsibility for the ISMS and details the necessary requirements pertaining to management commitment and resource management, including provision of resources as well as training, awareness and competence. 25 Sources: FTC, CQR Payments ISO 27001 Isn't Perfect Some criticisms: It focuses on certifying the “process” by which you determine which controls should be in place – not that the controls actually are in place. Without significant testing to validate that the technical controls are operating as planned – it can lead to a false sense of security. It doesn't include controls guidance for software applications – a major source of risk. Success is in implementation. Adherence to Plan-Do- 26 Check-Act lets businesses avoid these issues. Source: John Verry, Pivot Point Security Reasons to Favor ISO 27001 Respected globally as a solid framework. Employs risk management process. Supports company's due diligence efforts. Improves corporate processes. Has clear points of connection with U.S. law and effective in multi-agency regulatory framework. Handles variety of information types. Use growing worldwide; makes sense to use as 27 businesses global. ISO-lated? Is ISO 27001 only viable option for prima facie consideration? No. But it's one that makes good sense. 28 Thank you! 29